|
1 | 1 | #![forbid(unsafe_op_in_unsafe_fn)] |
2 | 2 |
|
| 3 | +use crate::mem::DropGuard; |
3 | 4 | use crate::pin::Pin; |
4 | | -use crate::ptr; |
5 | | -use crate::sync::atomic::Ordering::Relaxed; |
6 | | -use crate::sync::atomic::{Atomic, AtomicUsize}; |
7 | 5 | use crate::sys::pal::sync as pal; |
8 | 6 | use crate::sys::sync::{Mutex, OnceBox}; |
9 | 7 | use crate::time::{Duration, Instant}; |
10 | 8 |
|
| 9 | +struct StateGuard<'a> { |
| 10 | + mutex: Pin<&'a pal::Mutex>, |
| 11 | +} |
| 12 | + |
| 13 | +impl<'a> Drop for StateGuard<'a> { |
| 14 | + fn drop(&mut self) { |
| 15 | + unsafe { self.mutex.unlock() }; |
| 16 | + } |
| 17 | +} |
| 18 | + |
| 19 | +struct State { |
| 20 | + mutex: pal::Mutex, |
| 21 | + condvar: pal::Condvar, |
| 22 | +} |
| 23 | + |
| 24 | +impl State { |
| 25 | + fn condvar(self: Pin<&Self>) -> Pin<&pal::Condvar> { |
| 26 | + unsafe { self.map_unchecked(|this| &this.condvar) } |
| 27 | + } |
| 28 | + |
| 29 | + fn condvar_mut(self: Pin<&mut Self>) -> Pin<&mut pal::Condvar> { |
| 30 | + unsafe { self.map_unchecked_mut(|this| &mut this.condvar) } |
| 31 | + } |
| 32 | + |
| 33 | + /// Locks the `mutex` field and returns a [`StateGuard`] that unlocks the |
| 34 | + /// mutex when it is dropped. |
| 35 | + /// |
| 36 | + /// # Safety |
| 37 | + /// |
| 38 | + /// * The `mutex` field must not be locked by this thread. |
| 39 | + /// * Dismissing the guard leads to undefined behaviour when this `State` |
| 40 | + /// is dropped, as it is undefined behaviour to destroy a locked mutex. |
| 41 | + unsafe fn lock(self: Pin<&Self>) -> StateGuard<'_> { |
| 42 | + let mutex = unsafe { self.map_unchecked(|this| &this.mutex) }; |
| 43 | + unsafe { mutex.lock() }; |
| 44 | + StateGuard { mutex } |
| 45 | + } |
| 46 | +} |
| 47 | + |
11 | 48 | pub struct Condvar { |
12 | | - cvar: OnceBox<pal::Condvar>, |
13 | | - mutex: Atomic<usize>, |
| 49 | + state: OnceBox<State>, |
14 | 50 | } |
15 | 51 |
|
16 | 52 | impl Condvar { |
17 | 53 | pub const fn new() -> Condvar { |
18 | | - Condvar { cvar: OnceBox::new(), mutex: AtomicUsize::new(0) } |
| 54 | + Condvar { state: OnceBox::new() } |
19 | 55 | } |
20 | 56 |
|
21 | 57 | #[inline] |
22 | | - fn get(&self) -> Pin<&pal::Condvar> { |
23 | | - self.cvar.get_or_init(|| { |
24 | | - let mut cvar = Box::pin(pal::Condvar::new()); |
| 58 | + fn state(&self) -> Pin<&State> { |
| 59 | + self.state.get_or_init(|| { |
| 60 | + let mut state = |
| 61 | + Box::pin(State { mutex: pal::Mutex::new(), condvar: pal::Condvar::new() }); |
| 62 | + |
25 | 63 | // SAFETY: we only call `init` once per `pal::Condvar`, namely here. |
26 | | - unsafe { cvar.as_mut().init() }; |
27 | | - cvar |
| 64 | + unsafe { state.as_mut().condvar_mut().init() }; |
| 65 | + state |
28 | 66 | }) |
29 | 67 | } |
30 | 68 |
|
31 | | - #[inline] |
32 | | - fn verify(&self, mutex: Pin<&pal::Mutex>) { |
33 | | - let addr = ptr::from_ref::<pal::Mutex>(&mutex).addr(); |
34 | | - // Relaxed is okay here because we never read through `self.mutex`, and only use it to |
35 | | - // compare addresses. |
36 | | - match self.mutex.compare_exchange(0, addr, Relaxed, Relaxed) { |
37 | | - Ok(_) => {} // Stored the address |
38 | | - Err(n) if n == addr => {} // Lost a race to store the same address |
39 | | - _ => panic!("attempted to use a condition variable with two mutexes"), |
40 | | - } |
41 | | - } |
42 | | - |
43 | | - #[inline] |
44 | 69 | pub fn notify_one(&self) { |
| 70 | + let state = self.state(); |
| 71 | + // Notifications might be sent right after a mutex used with `wait` or |
| 72 | + // `wait_timeout` is unlocked. Waiting until the state mutex is |
| 73 | + // available ensures that the thread unlocking the mutex is enqueued |
| 74 | + // on the inner condition variable, as the mutex is only unlocked |
| 75 | + // with the state mutex held. |
| 76 | + // |
| 77 | + // Releasing the state mutex before issuing the notification stops |
| 78 | + // the awakened threads from having to wait on this thread unlocking |
| 79 | + // the mutex. |
| 80 | + // |
| 81 | + // SAFETY: |
| 82 | + // The functions in this module are never called recursively, so the |
| 83 | + // state mutex cannot be currently locked by this thread. |
| 84 | + drop(unsafe { state.lock() }); |
45 | 85 | // SAFETY: we called `init` above. |
46 | | - unsafe { self.get().notify_one() } |
| 86 | + unsafe { state.condvar().notify_one() } |
47 | 87 | } |
48 | 88 |
|
49 | | - #[inline] |
50 | 89 | pub fn notify_all(&self) { |
| 90 | + let state = self.state(); |
| 91 | + // Notifications might be sent right after a mutex used with `wait` or |
| 92 | + // `wait_timeout` is unlocked. Waiting until the state mutex is |
| 93 | + // available ensures that the thread unlocking the mutex is enqueued |
| 94 | + // on the inner condition variable, as the mutex is only unlocked |
| 95 | + // with the state mutex held. |
| 96 | + // |
| 97 | + // Releasing the state mutex before issuing the notification stops |
| 98 | + // the awakened threads from having to wait on this thread unlocking |
| 99 | + // the mutex. |
| 100 | + // |
| 101 | + // SAFETY: |
| 102 | + // The functions in this module are never called recursively, so the |
| 103 | + // state mutex cannot be currently locked by this thread. |
| 104 | + drop(unsafe { state.lock() }); |
51 | 105 | // SAFETY: we called `init` above. |
52 | | - unsafe { self.get().notify_all() } |
| 106 | + unsafe { state.condvar().notify_all() } |
53 | 107 | } |
54 | 108 |
|
55 | | - #[inline] |
56 | 109 | pub unsafe fn wait(&self, mutex: &Mutex) { |
57 | | - // SAFETY: the caller guarantees that the lock is owned, thus the mutex |
58 | | - // must have been initialized already. |
59 | | - let mutex = unsafe { mutex.pal.get_unchecked() }; |
60 | | - self.verify(mutex); |
61 | | - // SAFETY: we called `init` above, we verified that this condition |
62 | | - // variable is only used with `mutex` and the caller guarantees that |
63 | | - // `mutex` is locked by the current thread. |
64 | | - unsafe { self.get().wait(mutex) } |
| 110 | + let state = self.state(); |
| 111 | + // Lock the state mutex before unlocking `mutex` to ensure that |
| 112 | + // notifications occurring before this thread is enqueued on the |
| 113 | + // condvar are not missed. |
| 114 | + // |
| 115 | + // SAFETY: |
| 116 | + // The functions in this module are never called recursively, so the |
| 117 | + // state mutex cannot be currently locked by this thread. |
| 118 | + let guard = unsafe { state.lock() }; |
| 119 | + |
| 120 | + // SAFETY: |
| 121 | + // The caller must guarantee that `mutex` is currently locked by this |
| 122 | + // thread. |
| 123 | + unsafe { mutex.unlock() }; |
| 124 | + // Ensure that the mutex is locked when this function returns or panics. |
| 125 | + let _relock = DropGuard::new(mutex, |mutex| mutex.lock()); |
| 126 | + |
| 127 | + // SAFETY: |
| 128 | + // * `init` was called above |
| 129 | + // * the condition variable is only ever used with the state mutex |
| 130 | + // * the state mutex was locked above |
| 131 | + unsafe { state.condvar().wait(guard.mutex) }; |
65 | 132 | } |
66 | 133 |
|
67 | 134 | pub unsafe fn wait_timeout(&self, mutex: &Mutex, dur: Duration) -> bool { |
68 | | - // SAFETY: the caller guarantees that the lock is owned, thus the mutex |
69 | | - // must have been initialized already. |
70 | | - let mutex = unsafe { mutex.pal.get_unchecked() }; |
71 | | - self.verify(mutex); |
| 135 | + let state = self.state(); |
| 136 | + // Lock the state mutex before unlocking `mutex` to ensure that |
| 137 | + // notifications occurring before this thread is enqueued on the |
| 138 | + // condvar are not missed. |
| 139 | + // |
| 140 | + // SAFETY: |
| 141 | + // The functions in this module are never called recursively, so the |
| 142 | + // state mutex cannot be currently locked by this thread. |
| 143 | + let guard = unsafe { state.lock() }; |
| 144 | + |
| 145 | + // SAFETY: |
| 146 | + // The caller must guarantee that `mutex` is currently locked by this |
| 147 | + // thread. |
| 148 | + unsafe { mutex.unlock() }; |
| 149 | + // Ensure that the mutex is locked when this function returns or panics. |
| 150 | + let _relock = DropGuard::new(mutex, |mutex| mutex.lock()); |
72 | 151 |
|
73 | 152 | if pal::Condvar::PRECISE_TIMEOUT { |
74 | | - // SAFETY: we called `init` above, we verified that this condition |
75 | | - // variable is only used with `mutex` and the caller guarantees that |
76 | | - // `mutex` is locked by the current thread. |
77 | | - unsafe { self.get().wait_timeout(mutex, dur) } |
| 153 | + // SAFETY: |
| 154 | + // * `init` was called above |
| 155 | + // * the condition variable is only ever used with the state mutex |
| 156 | + // * the state mutex was locked above |
| 157 | + unsafe { state.condvar().wait_timeout(guard.mutex, dur) } |
78 | 158 | } else { |
79 | 159 | // Timeout reports are not reliable, so do the check ourselves. |
80 | 160 | let now = Instant::now(); |
81 | | - // SAFETY: we called `init` above, we verified that this condition |
82 | | - // variable is only used with `mutex` and the caller guarantees that |
83 | | - // `mutex` is locked by the current thread. |
84 | | - let woken = unsafe { self.get().wait_timeout(mutex, dur) }; |
| 161 | + // SAFETY: |
| 162 | + // * `init` was called above |
| 163 | + // * the condition variable is only ever used with the state mutex |
| 164 | + // * the state mutex was locked above |
| 165 | + let woken = unsafe { state.condvar().wait_timeout(guard.mutex, dur) }; |
85 | 166 | woken || now.elapsed() < dur |
86 | 167 | } |
87 | 168 | } |
|
0 commit comments